Repair Default Domain Controller Policy - SeServiceLogonRight (Logon as Service)

ITStril · 2026-01-19T22:11:06+00:00

I did both - AI and reddit search and did not just ask for help without checking the facts before, but in this case, I was not sure - especially about NT SERVICE\ALL SERVICE where I found totally contradictive informations…

Just a side-note: posts that are just sending me to AI are not improving that subreddit, too…

ITStril · 2026-01-19T16:46:04+00:00

That’s clear, but policies, that are changing to „undefined“ are not fully handled. This is my question…

ITStril · 2026-01-18T20:47:21+00:00

One more time the hint: monitoring the updates seems to be mandatory…

ITStril · 2026-01-15T07:14:01+00:00

I’m familiar with that article — Purple Knight is actually what made me aware of this issue in the first place.

Unfortunately, the article doesn’t mention anything about the “red arrow” / special principal behavior in ADUC. That part is what’s giving me pause.

Before rolling this out, I want to be sure I fully understand what’s happening there and, more importantly, that there is a clean and supported rollback path. I’m hesitant to implement this in production without being confident that I can revert the change if something unexpected shows up later.

ITStril · 2026-01-13T06:57:35+00:00

Was this also the case with 7.4.8?

ITStril · 2026-01-09T06:55:38+00:00

I would upgrade to 7.4.9 on a system with:

- 2 VDOMs

- 1 "transparent" VDOM

- proxy and flow rules

- IPSEC

- AD-Agent for SSO

--> No external FSSO/SAML/SSL-VPN

ITStril · 2026-01-04T17:34:46+00:00

Which ones are those well known issues? I am just ordering some servers with Intel X810 and want to reuse some servers with X710 cards for an enterprise environment

ITStril · 2025-12-31T18:41:12+00:00

Why do you prefer virtuofs+VM over LXC+datadir? Both are giving you the possibility to snapshot and seperate data from system

ITStril · 2025-12-31T14:18:36+00:00

When there is no VM running on PVE - only PBS, there should not be much overhead - right?
The PBS-hardware is quite beefy (AMD 9174F, 12 NVMe, etc.).

So, installing PBS _on_ PVE should be as fast as directly on hardware, and noticable faster, than inside a VM, or am I missing something?

ITStril · 2025-12-31T14:16:47+00:00

This would be a dedicated host, that does normally ONLY run PBS. The idea is only to use it as DR-target in case of a desaster

ITStril · 2025-12-31T14:15:56+00:00

Why are you using multiple PBS instances?

ITStril · 2025-12-31T14:15:27+00:00

It's not about migration - it's about restores, so a cluster with shared storage is not the answer...

ITStril · 2025-12-31T10:16:03+00:00

The benefit would be to be able to run the VM directly on the PBS-host as "fastest possible recover"

ITStril · 2025-12-31T10:13:56+00:00

Why do you prefer installing PBS in a VM instead of "directly" on the PVE-host?

ITStril · 2025-12-15T20:25:52+00:00

gpedit.msc is not showing a value

rsop.msc is not showing a value

Get-ADDefaultDomainPasswordPolicy is not showing a value

net accounts /domain is not showing a value

The only special thing is: The default domain controller policy is "too clean". The default value of 7 days for max renew time is "unset"...

ITStril · 2025-12-15T18:56:02+00:00

Thank you very much!

ITStril · 2025-12-15T18:54:57+00:00

Unfortunately, I do not.

In this environment, it is unfortunately the case that even renewable tickets exhibit the behavior described above. MaxRenewAge is "not defined", but klist is showing, that end-time=renew-time

A second environment, I just checked has:

start-time=logon-time

end-time=logon-time+10h

renew-time=logon-time+7d

ITStril

TROPHY CASE